Q&A: Information Sharing in the Ransomware Payment Ecosystem

Welcome back to The TechnologIST! This month marks the third anniversary of the Ransomware Task Force, IST's public-private task force that put forward 48 recommendations towards combating ransomware. Next Wednesday, April 24, join us for an all-day event to double down on the 24 recommendations that have seen little or no progress.?

The Hive Ransomware Group Takedown: "The culmination of a quiet, strategic, sprawling, sequenced operation"

Since 2021, the Hive ransomware group is said to have carried out over 1,300 attacks against victims in 80 countries. The prolific group, which employed a ransomware-as-a-service model, caused major disruptions to businesses, governments, and critical infrastructure like hospitals. In one case, a hospital was said to have been forced to "resort to analog methods to treat existing patients" in the aftermath of a Hive attack.?

In January 2023, an internationally coordinated law enforcement effort seized the group's infrastructure and servers overnight. IST’s latest report, Information Sharing in the Ransomware Payment Ecosystem, describes what happened: "The disruption was the culmination of a quiet, strategic, sprawling, sequenced operation, and highlights what can be achieved when governments, law enforcement, security researchers, and the private sector share information and collaborate with victims to combat the ransomware threat."

The Hive disruption operation is one example of a case in which information sharing enabled a successful outcome. Report author Zo? Brammer takes the Hive disruptive operation, along with the Emotet botnet takedown and the Colonial Pipeline ransom recovery, as case studies in an effort to identify what enabled their success and point to opportunities for these disruptive successes to be replicated at scale.?

To learn more about the research involved and the attack scenario conducted by the Ransomware Task Force Payments Working Group, I sat down with report author Zo? Brammer and report contributor Trevaughn Smith .?

Q&A: Information Sharing in the Ransomware Payment Ecosystem

Tell me more about the exercise that you set up – how did it work? Who decides what a standard ransom attack scenario looks like? And what came out of it??

Zo? Brammer : This exercise was conducted by IST's Ransomware Task Force Payments Working Group, which includes representatives from blockchain analytics companies, cyber insurers, financial institutions, digital forensics firms, law enforcement, researchers, and government. In a series of meetings, the working group walked step by step through a hypothetical but realistic ransomware attack scenario, identifying how and when information about the attack might be shared through formal mechanisms. There wasn't one defined "standard" scenario; rather, the exercise explored different potential scenarios based on the group's collective experience. The key takeaway? Information sharing practices vary dramatically across cases, based on the victim and their representative’s resources, risk tolerance, and relationships.

In the report, you write, “The Hive, Emotet, and Colonial cases illustrate instances in which information sharing enabled successful outcomes. They are also exceptions to the norm."?Based on your research, what enabled them to be these exceptions? And moving forward, how can we ensure that we make information-sharing success stories the norm?

Zo?: The Hive, Emotet, and Colonial Pipeline cases succeeded largely due to two key factors: 1) victims, security researchers, and private sector entities shared critical information with the U.S. government in a timely, specific, and detailed manner, and 2) law enforcement, with help from security researchers and private sector entities, was able to gain access to attacker infrastructure for disruption. To make these successes more common, the report recommends improving guidance, incentives, and streamlining processes for victims to report incidents and share information more consistently, and institutionalizing reciprocal information sharing between the public and private sectors.?

As you mention in the report, the CIRCIA Notice of Proposed Rulemaking came out in March 2024. What impact does CIRCIA stand to have on the information-sharing ecosystem??

Zo?: CIRCIA stands to significantly improve information sharing to CISA by mandating that critical infrastructure entities report cyber incidents like ransomware attacks within 72 hours. This will enhance both the quantity and level of detail of information reported from these key sectors, especially if it leads to a consolidated reporting process that combines technical indicators with victim and threat actor details.

Do governments, including the U.S. government and Europol/Eurojust, actually currently have the capacity to lead these major efforts on a more consistent basis, or as frequently as the actual threats arise??

Zo?: While the FBI, DOJ, and international partners demonstrated their ability to lead major disruption operations in the cases highlighted, they are not yet able to replicate these successes consistently and at scale. More systematic information sharing processes, resources, and coordination with the private sector are likely needed in order to scale these operations.?

Is the current disruption model enough to exert long-term impact on the ecosystem? Should we be doing something different??

Zo?: The current disruption model, while impactful, has only proven effective in unique circumstances. To exert longer-term ecosystem impact, the model should evolve to more comprehensively combine intelligence gathering, scaled cooperation with the private sector, efforts to seize attacker infrastructure, and consistent follow-through enabled by streamlined information flows.

What’s next for the Payments Working Group?

Trevaughn Smith : The RTF Payments Working Group is now focusing on recommendations to disrupt the resourcing phase. By grouping entities as legitimate vs. illegitimate entities–the latter existing solely to perpetuate malicious activity–the working group can work to provide more targeted recommendations to disrupt ransomware actors seeking to develop their infrastructure before an attack.

Elsewhere at IST

EVENT: 24 in ‘24: Doubling Down on the Ransomware Task Force Recommendations

In one week, on Wednesday, April 24, IST’s Ransomware Task Force hosts 24 in ’24: Doubling Down on the Ransomware Task Force Recommendations. This year’s event includes keynotes by Senator Tim Kaine, former Director of the CIA’s Center for Cyber Intelligence Andrew Boyd, and Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency of Singapore David Koh, panels moderated by the RTF co-chairs, and fireside chats featuring Craig Newmark, CISA director Jen Easterly, and more. Register to attend virtually.?

EVENT: The Inaugural Cyber Policy Awards

On the evening of Wednesday, April 24 in Washington, DC, IST holds the first-ever Cyber Policy Awards, a gathering of the U.S. cyber policy community to honor and celebrate those who drove significant progress in the preceding year, and to make resolutions for the new year. Ahead of the event, the panel of judges chose?and announced?finalists for the awards of U.S. Policy Impact, International Impact, Ecosystem Champion, and Cyber Philanthropy/ist of the Year. Submit a request to attend in-person.??

Strategic Balancing Initiative releases the second of three papers?

SBI’s first concept paper, released in February, outlined key misalignments between the public and private sectors in biotech, energy and quantum. Its second paper, Unlocking U.S. Technological Competitiveness: Evaluating Initial Solutions to Public-Private Misalignments, authored by VP for Geostrategic Risk Ben Purser er and Senior Adjunct Advisor Pavneet Singh, proposes ways to bridge gaps between emerging technology sectors and the policy apparatus.?

RTF co-chairs weigh in on payment bans

In response to the ongoing debate over ransomware payments, the Ransomware Task Force co-chairs published a Roadmap to Potential Prohibition of Ransomware Payments, which presents 16 proposed milestones across 4 different lines of effort which can and should be pursued concurrently. Following these recommendations could reduce the need for or facilitate effective the eventual imposition of a ban.?

IST in the News?

Elizabeth Vish and Gigi Flores Bustamante discuss public-private partnerships

Government Technology ’s Jule Pattison-Gordon spoke to Elizabeth Posegate Vish and Georgeanela Flores Bustamante about their recent report, Public Private Partnerships to Combat Ransomware, and what makes such initiatives successful. Both public and private stakeholders benefit from these partnerships, Elizabeth said. “A lot of private-sector actors really want to be collaborating more than they already are.”

Michael McNerney warns victims of AT&T leak

IST Board Chair Michael McNerney spoke to CNN Newsroom’s Fredricka Whitfield about the fallout of the AT&T data leak this month, urging customers, even those unaffected by the leak, to change their passwords. He also stressed the importance of critical infrastructure security, as many telecom companies have experienced leaks in recent years. “One of the questions we need to get to the bottom of is, why is this happening?” Michael said.?

Elizabeth Vish weighs in on CIRCIA

As CISA releases the notice of proposed draft rulemaking for cyber incident reporting, fulfilling the mandate of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the private sector should begin preparing for compliance, Elizabeth Posegate Vish told CyberScoop 's Christian Vasquez. “CISA needs to use these 18 months to build up their capacity,” she said.?

Taylor Grossman examines public-private partnerships aiding Ukraine

In an article for Binding Hook ook, IST Deputy Director for Digital Security Taylor Grossman an and co-authors examined the state of partnerships between governments and the private sector for aid to Ukraine. “In past conflicts, governments marshalled industry to its aid. Now, in cyberspace, the roles are reversed,” they write. “Industry now finds itself responsible for delivering significant impact on its own terms and on a large scale.”?

What We’re Reading

Want more tech and security content? Check out some of the ISTeam's favorite pieces from the past month:?

• Microsoft is at fault for the email breach of the Commerce and State departments last year, a Cyber Safety Review Board report found. “[S]hoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency” led to a “preventable” attack, the Washington Post explained.?
• Taiwan Semiconductor Manufacturing will build semiconductor factories in Phoenix, Arizona with the help of a $6.6 billion grant from the U.S. Department of Commerce. TechCrunch calls the project “the latest step by the U.S. to strengthen its domestic supply of semiconductors.”
• Ransomware incidents in Britain have increased year over year since 2020. Now, Parliament is urging the government to increase funding for law enforcement disruption operations. The UK’s current cyber strategy calls for individual organizations to improve their cybersecurity.?
• The Treasury Department’s Office of Foreign Assets Control is urging companies to consider transparency in ransomware attack reporting. “We’re here to help you comply with the regulations we’re enforcing,” Senior Compliance Officer Kristen Berg said.?
• The United States and the United Kingdom have signed a Memorandum of Understanding to work together to develop safety tests for advanced AI models. “Our partnership makes clear that we aren’t running away from these concerns – we’re running at them,” U.S. Secretary of Commerce Gina Raimondo said.?
• Anthropic researchers have discovered a new way to “jailbreak” large language models. In a new study, they detail how, if asked enough questions first, AI will tell you how to build a bomb.?
• As large language models are beginning to be integrated into cybersecurity practices, researchers from Carnegie Mellon University’s Software Engineering Institute and OpenAI have developed a framework for designing realistic cybersecurity evaluations of large language models.?
• The United States must reopen the lines of communication with Russia to avoid nuclear conflict, Gen. Christopher Cavoli, NATO supreme allied commander and head of U.S. European Command told students at Georgetown University. The “vocabulary” established between the states during the Cold War is now gone, he said.?

The Institute for Security and Technology designs and advances solutions to the world’s toughest emerging security threats. It is a nonpartisan, nonprofit organization?based in the San Francisco Bay Area dedicated to solving critical international security challenges through better technology and policy. Donate today to support our mission.

For more information or media requests, please contact [email protected].

Thanks for reading The TechnologIST!?If you were forwarded this email and want to subscribe to our mailing list, click here.